Business/AccountHub
2
0
Fork 2
Code Issues 3 Pull Requests Releases 3 Wiki Activity

Refactor and enforce Content-Security-Policy

Browse Source
This commit is contained in:
Skylar Ittner 2017-11-13 16:14:47 -07:00
parent 0bc3d2776c
commit 81339b8cd0
6 changed files with 85 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/setup_2fa.php
View File

@ -24,8 +24,15 @@ if (userHasTOTP($_SESSION['username'])) {
$codesecret = $totp->getSecret(); $codesecret = $totp->getSecret();
$chunk_secret = trim(chunk_split($codesecret, 8, ' ')); $chunk_secret = trim(chunk_split($codesecret, 8, ' '));
$APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan 2fa qrcode", false) . '</div>' . <<<END $APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan 2fa qrcode", false) . '</div>' . <<<END
<style nonce="$SECURE_NONCE">
.mono-chunk {
text-align: center;
font-size: 110%;
font-family: monospace;
}
</style>
<img src="$qrcode" class="img-responsive qrcode" /> <img src="$qrcode" class="img-responsive qrcode" />
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_secret</div> <div class="well well-sm mono-chunk">$chunk_secret</div>
<form action="action.php" method="POST"> <form action="action.php" method="POST">
<input type="hidden" name="action" value="add2fa" /> <input type="hidden" name="action" value="add2fa" />
<input type="hidden" name="source" value="security" /> <input type="hidden" name="source" value="security" />

26
apps/sync_mobile.php
View File

@ -52,19 +52,29 @@ if (MOBILE_ENABLED) {
. lang("scan sync qrcode", false) . lang("scan sync qrcode", false)
. '</div>' . '</div>'
. <<<END . <<<END
<style nonce="$SECURE_NONCE">
.margintop-15px {
margin-top: 15px;
}
.mono-chunk {
text-align: center;
font-size: 110%;
font-family: monospace;
}
</style>
<img src="$qrcode" class="img-responsive qrcode" /> <img src="$qrcode" class="img-responsive qrcode" />
<div class="panel panel-default" style="margin-top: 15px;"> <div class="panel panel-default margintop-15px">
<div class="panel-body"> <div class="panel-body">
END END
. "<b>" . lang("manual setup", false) . "</b><br /><label>" . lang("username", false) . ":</label>" . "<b>" . lang("manual setup", false) . "</b><br /><label>" . lang("username", false) . ":</label>"
. '<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">' . $_SESSION['username'] . '</div>' . '<div class="well well-sm mono-chunk">' . $_SESSION['username'] . '</div>'
. "<label>" . lang("sync key", false) . "</label>" . "<label>" . lang("sync key", false) . "</label>"
. <<<END . <<<END
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_code</div> <div class="well well-sm mono-chunk">$chunk_code</div>
END END
. "<label>" . lang("url", false) . "</label>" . "<label>" . lang("url", false) . "</label>"
. <<<END . <<<END
<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$url</div> <div class="well well-sm mono-chunk">$url</div>
</div> </div>
</div> </div>
<a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a> <a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a>
@ -78,19 +88,23 @@ END;
$content .= "<div class='list-group'>"; $content .= "<div class='list-group'>";
if (count($activecodes) > 0) { if (count($activecodes) > 0) {
foreach ($activecodes as $c) { foreach ($activecodes as $c) {
$content .= "<div class='list-group-item mobilekey'><span style='font-family: Ubuntu Mono,monospace; flex-shrink: 0'>" . trim(chunk_split($c['code'], 5, ' ')) . "</span> <span class='tinybuttons'><a class='btn btn-primary btn-sm' href='home.php?page=security&mobilecode=generate&showsynccode=" . $c['codeid'] . "'><i class='fa fa-qrcode'></i></a> <a class='btn btn-danger btn-sm' href='home.php?page=security&delsynccode=" . $c['codeid'] . "'><i class='fa fa-trash'></i></a></span></div>"; $content .= "<div class='list-group-item mobilekey'><span id=\"mobilecode\">" . trim(chunk_split($c['code'], 5, ' ')) . "</span> <span class='tinybuttons'><a class='btn btn-primary btn-sm' href='home.php?page=security&mobilecode=generate&showsynccode=" . $c['codeid'] . "'><i class='fa fa-qrcode'></i></a> <a class='btn btn-danger btn-sm' href='home.php?page=security&delsynccode=" . $c['codeid'] . "'><i class='fa fa-trash'></i></a></span></div>";
} }
} else { } else {
$content .= "<div class='list-group-item'>" . lang("no active codes", false) . "</div>"; $content .= "<div class='list-group-item'>" . lang("no active codes", false) . "</div>";
} }
$content .= "</div>"; $content .= "</div>";
$content .= <<<END $content .= <<<END
<style> <style nonce="$SECURE_NONCE">
.mobilekey { .mobilekey {
display: flex; display: flex;
flex-wrap: wrap; flex-wrap: wrap;
justify-content: space-between; justify-content: space-between;
} }
.mobilekey #mobilecode {
font-family: Ubuntu Mono,monospace;
flex-shrink: 0;
}
</style> </style>
END; END;
$APPS["sync_mobile"]["content"] = $content; $APPS["sync_mobile"]["content"] = $content;

4
home.php
View File

@ -67,7 +67,7 @@ if (!is_empty($_GET['page'])) {
} }
?> ?>
<a class="navbar-brand" href="home.php"> <a class="navbar-brand" href="home.php">
<img style="height: 35px; padding-bottom: 12px; padding-left: 5px;" src="<?php echo $src; ?>" /> <img src="<?php echo $src; ?>" />
</a> </a>
<?php <?php
} }
@ -116,7 +116,7 @@ if (!is_empty($_GET['page'])) {
<?php <?php
if (MENU_BAR_STYLE == "fixed") { if (MENU_BAR_STYLE == "fixed") {
?> ?>
<div style="height: 75px;"></div> <div class="pad-75px"></div>
<?php <?php
} }
?> ?>

1
mobile/index.php
View File

@ -97,6 +97,7 @@ switch ($VARS['action']) {
if (get_account_status($username) == "NORMAL") { if (get_account_status($username) == "NORMAL") {
if (authenticate_user($username, $VARS['password'], $autherror)) { if (authenticate_user($username, $VARS['password'], $autherror)) {
doLoginUser($username, $VARS['password']); doLoginUser($username, $VARS['password']);
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"])); exit(json_encode(["status" => "OK"]));
} }
} }

46
required.php
View File

@ -10,7 +10,11 @@ header('Content-Type: text/html; charset=utf-8');
// l33t $ecurity h4x // l33t $ecurity h4x
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block'); header('X-XSS-Protection: 1; mode=block');
header('X-Powered-By: Late-night coding frenzies (plz send caffeine, thx)'); header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
header('X-Frame-Options: "DENY"');
header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
$SECURE_NONCE = base64_encode(random_bytes(8));
$session_length = 60 * 60; // 1 hour $session_length = 60 * 60; // 1 hour
session_set_cookie_params($session_length, "/", null, false, false); session_set_cookie_params($session_length, "/", null, false, false);
@ -18,6 +22,30 @@ session_set_cookie_params($session_length, "/", null, false, false);
session_start(); // stick some cookies in it session_start(); // stick some cookies in it
//// renew session cookie //// renew session cookie
setcookie(session_name(), session_id(), time() + $session_length); setcookie(session_name(), session_id(), time() + $session_length);
if ($_SESSION['mobile'] === TRUE) {
header("Content-Security-Policy: "
. "default-src 'self';"
. "object-src 'none'; "
. "img-src * data:; "
. "media-src 'self'; "
. "frame-src 'none'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'unsafe-inline'; "
. "script-src 'self' 'unsafe-inline'");
} else {
header("Content-Security-Policy: "
. "default-src 'self';"
. "object-src 'none'; "
. "img-src * data:; "
. "media-src 'self'; "
. "frame-src 'none'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'nonce-$SECURE_NONCE'; "
. "script-src 'self' 'nonce-$SECURE_NONCE'");
}
// //
// Composer // Composer
require __DIR__ . '/vendor/autoload.php'; require __DIR__ . '/vendor/autoload.php';
@ -30,7 +58,21 @@ require __DIR__ . '/lang/messages.php';
require __DIR__ . '/lang/' . LANGUAGE . ".php"; require __DIR__ . '/lang/' . LANGUAGE . ".php";
function sendError($error) { function sendError($error) {
die("<!DOCTYPE html><html><head><title>Error</title></head><body><h1 style='color: red; font-family: sans-serif; font-size:100%;'>" . htmlspecialchars($error) . "</h1></body></html>"); global $SECURE_NONCE;
die("<!DOCTYPE html>"
. "<meta charset=\"UTF-8\">"
. "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">"
. "<title>Error</title>"
. "<style nonce=\"" . $SECURE_NONCE . "\">"
. "h1 {color: red; font-family: sans-serif; font-size: 20px; margin-bottom: 0px;} "
. "h2 {font-family: sans-serif; font-size: 16px;} "
. "p {font-family: monospace; font-size: 14px; width: 100%; wrap-style: break-word;} "
. "i {font-size: 12px;}"
. "</style>"
. "<h1>A fatal application error has occurred.</h1>"
. "<i>(This isn't your fault.)</i>"
. "<h2>Details:</h2>"
. "<p>". htmlspecialchars($error) . "</p>");
} }
date_default_timezone_set(TIMEZONE); date_default_timezone_set(TIMEZONE);

10
static/css/app.css
View File

@ -9,6 +9,16 @@
font-size: 110%; font-size: 110%;
} }
.navbar-brand img {
height: 35px;
padding-bottom: 12px;
padding-left: 5px;
}
.pad-75px {
height: 75px;
}
.footer { .footer {
margin-top: 10em; margin-top: 10em;
text-align: center; text-align: center;